From 52b6673b7af6c6018c9aa093692979a7a3597fd9 Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Wed, 12 Jan 2022 00:09:02 +0100 Subject: kubernetes/base: use cri-dockerd when docker runtime is configured --- roles/kubernetes/base/tasks/cri_docker.yml | 27 ++++++++++++++++++++-- .../base/templates/cri-dockerd.service.j2 | 27 ++++++++++++++++++++++ .../base/templates/cri-dockerd.socket.j2 | 12 ++++++++++ .../base/templates/kubelet.service.override.j2 | 5 ---- 4 files changed, 64 insertions(+), 7 deletions(-) create mode 100644 roles/kubernetes/base/templates/cri-dockerd.service.j2 create mode 100644 roles/kubernetes/base/templates/cri-dockerd.socket.j2 (limited to 'roles/kubernetes') diff --git a/roles/kubernetes/base/tasks/cri_docker.yml b/roles/kubernetes/base/tasks/cri_docker.yml index a9b5dec1..91de6836 100644 --- a/roles/kubernetes/base/tasks/cri_docker.yml +++ b/roles/kubernetes/base/tasks/cri_docker.yml @@ -3,7 +3,7 @@ assert: msg: "The variable kubernetes_cri_socket is not configured correctly. You might need to move your host to the group kubernetes-cluster or standalone-kubelet!" that: - - kubernetes_cri_socket == "unix:///var/run/dockershim.sock" + - kubernetes_cri_socket == "unix:///var/run/cri-dockerd.sock" - name: create systemd snippet directory file: @@ -14,7 +14,7 @@ copy: content: | [Unit] - After=docker.service + After=cri-dockerd.service dest: /etc/systemd/system/kubelet.service.d/after-docker.conf - name: disable bridge and iptables in docker daemon config and switch to systemd cgroup driver @@ -32,3 +32,26 @@ - name: install docker include_role: name: docker/engine + +- name: install cri-dockerd + apt: + name: cri-dockerd + state: present + +- name: install systemd units for cri-docker + loop: + - socket + - service + template: + src: "cri-dockerd.{{ item }}.j2" + dest: "/etc/systemd/system/cri-dockerd.{{ item }}" + +- name: make sure cri-docker is started and enabled + loop: + - socket + - service + systemd: + daemon_reload: yes + name: "cri-dockerd.{{ item }}" + enabled: yes + state: started diff --git a/roles/kubernetes/base/templates/cri-dockerd.service.j2 b/roles/kubernetes/base/templates/cri-dockerd.service.j2 new file mode 100644 index 00000000..a83a18f0 --- /dev/null +++ b/roles/kubernetes/base/templates/cri-dockerd.service.j2 @@ -0,0 +1,27 @@ +[Unit] +Description=CRI Interface for Docker Application Container Engine +Documentation=https://docs.mirantis.com +After=network-online.target firewalld.service docker.service +Wants=network-online.target +Requires=cri-dockerd.socket +StartLimitBurst=3 +StartLimitIntervalSec=60s + +[Service] +Type=notify +ExecStart=/usr/bin/cri-dockerd --container-runtime-endpoint fd:// --network-plugin=cni --cni-bin-dir=/opt/cni/bin --cni-conf-dir=/etc/cni/net.d +ExecReload=/bin/kill -s HUP $MAINPID +TimeoutSec=0 +RestartSec=2 +Restart=always +# Having non-zero Limit*s causes performance problems due to accounting overhead +# in the kernel. We recommend using cgroups to do container-local accounting. +LimitNOFILE=infinity +LimitNPROC=infinity +LimitCORE=infinity +TasksMax=infinity +Delegate=yes +KillMode=process + +[Install] +WantedBy=multi-user.target diff --git a/roles/kubernetes/base/templates/cri-dockerd.socket.j2 b/roles/kubernetes/base/templates/cri-dockerd.socket.j2 new file mode 100644 index 00000000..8dfa27d4 --- /dev/null +++ b/roles/kubernetes/base/templates/cri-dockerd.socket.j2 @@ -0,0 +1,12 @@ +[Unit] +Description=CRI Docker Socket for the API +PartOf=cri-dockerd.service + +[Socket] +ListenStream=%t/cri-dockerd.sock +SocketMode=0660 +SocketUser=root +SocketGroup=docker + +[Install] +WantedBy=sockets.target diff --git a/roles/kubernetes/standalone/base/templates/kubelet.service.override.j2 b/roles/kubernetes/standalone/base/templates/kubelet.service.override.j2 index 00f2c360..d4637c72 100644 --- a/roles/kubernetes/standalone/base/templates/kubelet.service.override.j2 +++ b/roles/kubernetes/standalone/base/templates/kubelet.service.override.j2 @@ -1,11 +1,6 @@ [Service] ExecStart= ExecStart=/usr/bin/kubelet \ -{% if kubernetes_container_runtime != 'docker' %} --container-runtime=remote \ --container-runtime-endpoint={{ kubernetes_cri_socket }} \ -{% else %} - --container-runtime=docker \ - --network-plugin=cni \ -{% endif %} --config=/etc/kubernetes/kubelet.yml -- cgit v1.2.3